It finally happened. At the start of DockerCon Europe and a week before KubeCon was set to take place in the U.S., researchers discovered the first major vulnerability within Kubernetes, the popular cloud container orchestration system.
What is the Flaw?
The vulnerability — CVE-2018-1002105 — is a Kubernetes privilege escalation flaw where any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server by making a network request.
Once established, an attacker can send arbitrary requests over the network connection directly to that backend. What’s worse is that these requests are authenticated with the Kubernetes API server Transport Layer Security (TLS) credentials.
As reported in the original Github post, “in default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation,” which means that anyone who knows about this hole (a majority of people at this point) can take control of your Kubernetes cluster.
As bad as that sounds, a flaw within the Kubernetes service should not come as a surprise to those within the security industry. Historically, there’s been a tendency to treat security as an afterthought with new and emerging technologies such as containers, orchestration, serverless and even the cloud, and as the most popular orchestration service on the market, it was only a matter of time before Kubernetes had its first vulnerability.
How Did This Happen?
The need to provide personalization at scale is driving organizations to adopt modern technologies like cloud, containers, orchestration platforms (Docker, Kubernetes), serverless, etc. As customer experience becomes king, the adoption of these new microservices technologies is not only key for speeding innovation and personalization, but also for providing a seamless experience for end users.
Unfortunately, there are a lot of misconceptions and misunderstandings around getting started with Kubernetes, especially with those organizations just beginning to adopt DevOps or DevSecOps approaches. And without the proper tools in place, organizations are struggling to properly monitor Kubernetes and the investments they’re making in these modern architectures at scale, which can ultimately lead to performance and security issues.
Movements like DevSecOps help bridge the communication gap between teams to prevent security incidents such as this, and is another example of the importance of how development and security need to be in lockstep to establish guardrails and best practices while maintaining agility.
Unfortunately, many organizations — even with a mature continuous integration and continuous delivery (CI/CD) pipeline process — lack the tools to provide them visibility into the proper security and configuration of not just containers, but also their cloud development and release processes as a whole.
What’s the Solution?
At the center of all of this is machine data, and the need to ingest it, interpret it and monitor it. That’s why organizations are turning to integrated platform solutions built specifically to support these modern application technologies and that can turn complex machine data into actionable operational, security and business insights.
When monitoring an application, you always need to be able to answer two critical questions: What is happening and why is this happening? And like any application, Kubernetes generates a comprehensive set of machine data that allows you to always answer those “what and why” questions while also providing capabilities to identify issues and take action to remediate without impacting the overall customer experience.
That’s why earlier this year, we’ve announced significant platform enhancements for monitoring modern applications including Kubernetes, Docker and Amazon Elastic Container Service for Kubernetes (EKS). This provides our customers with deeper and ubiquitous native support for Kubernetes to further reduce downtime, as well as the ability to gather performance metrics and KPIs from unstructured logs and turn it into contextual metadata that is easily understood by technical and non-technical groups alike.
We’ve also have been significantly enhancing our security analytics offerings with the announcement of a new cloud SIEM solution. The reality is that legacy on-premises SIEM systems haven’t kept up with the rate of innovation around emerging technologies and as such they lack the tools to identify, investigate and prioritize security threats and compliance gaps for modern applications in the cloud.
Sumo Logic was built in the cloud and focused from the start to help enterprises migrate their workloads to the cloud and adopt cloud-first technologies. The cloud and security for the cloud have always been a part of our DNA, and Sumo Logic has unique perspectives on these problems derived from deep experience with customers at all stages of cloud and application evolution, particularly with modern environments. As a result, our platform delivers native elastic scale for continuous security analytics and deployment agility, enabling new horizontal and scalable workflows across lines of business, development, security and operations.
Organizations that are creating and moving applications, infrastructure and workloads to the cloud need a cloud-native solution that is fluent in cloud infrastructure, cloud application stacks and security in the cloud in order to tightly managing their security and compliance in these increasingly mainstream environments.
Organizations need to invest in solutions that provide them with highly scalable and accelerated detection and investigation capabilities for the rapidly evolving and expanding threat surfaces of cloud and hybrid environments.
The Bottom Line
This news is a reminder that containers and orchestration platforms are not impenetrable from malicious actors looking to get their hands on sensitive data, disrupt your business or crypto mine your cloud resources. And when you think about the scale of the exposure, it becomes an even bigger concern. The big selling points of Kubernetes are its fundamental speed, orchestration, automation and scale. All of those positive qualities become an instant detriment when a security issue arises because they rapidly expand the attack surface.
Moving forward, developers must leverage Kubernetes machine data to proactively identify vulnerabilities and stop potential attacks. If developers — and digital businesses as a whole — are not able to correctly identify vulnerabilities and monitor their Kubernetes deployments continuously to identify potential security breaches, their business and reputation will be tarnished.
The fact still remains that no software or network is 100 percent secure, and that means you need the proper controls, tools and processes in place for complete visibility inside containers and Kubernetes deployments.
Visit us at KubeCon!
The Sumo Logic team will be at KubeCon 2018 in Seattle this week from December 11-13. If you want to learn more about our support for Docker and Kubernetes, including the Sumo Logic Amazon EKS App, stop by our booth G11, to learn more.